MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04
SHA3-384 hash: d3c614064c87eb2877b17e0ee049b4456364b9b25df0dd95e926d5f2cfcabf017274ac7342f485552e067f6e094a41ec
SHA1 hash: da77a228761dba8a35d68e4d8f28c7953817969e
MD5 hash: 23c181a44ca7f5e9c0f422dbd2bfbec8
humanhash: butter-oscar-violet-arizona
File name:f6a607c6432e0e941c8487c443965bf64150e13cce8d2c312ca9f8d4.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'314'816 bytes
First seen:2023-10-25 04:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4498ed238a5d5d6510e036e3bb29986 (8 x DBatLoader, 1 x AgentTesla)
ssdeep 24576:bKuO345cRv/kabphVsJhfYPzyB+4Buxrhre0Qgd/0hkEBS/:bLysS24mwe0zMkEe
Threatray 249 similar samples on MalwareBazaar
TLSH T1E355D016F66188B5F03B0A396B2B57DEDF1C6E2929A4284B27FD7E580E35243345D0B3
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2a666013d6d253ac (12 x DBatLoader, 1 x AgentTesla, 1 x RemcosRAT)
Reporter r3dbU7z
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
f6a607c6432e0e941c8487c443965bf64150e13cce8d2c312ca9f8d4.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 04:34:38 UTC
Tags:
dbatloader warzone rat remote avemaria
Link:
https://app.any.run/tasks/6bb6bbf3-655a-48f5-bc34-1ea8ac4b5700

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456149/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.23585.14938.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/65389abb8fff7db12b099d73/reports/2cd1a7f9-ac51-422e-96b9-b927116a4439/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ff4a11f-a848-452e-b328-576213e5ebea
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331675
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331675 Sample: f6a607c6432e0e941c8487c4439... Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 67 freshwarsmi.ddns.net 2->67 69 web.fe.1drv.com 2->69 71 3 other IPs or domains 2->71 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 11 other signatures 2->85 12 f6a607c6432e0e941c8487c443965bf64150e13cce8d2c312ca9f8d4.exe 1 8 2->12         started        16 Moyvcizt.PIF 2->16         started        18 Moyvcizt.PIF 2->18         started        signatures3 process4 file5 59 C:\Users\Public\Libraries\tzicvyoM.pif, PE32 12->59 dropped 61 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->61 dropped 63 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->63 dropped 65 C:\Users\Public\Libraries\Moyvcizt.PIF, PE32 12->65 dropped 107 Contains functionality to hide user accounts 12->107 109 Drops PE files with a suspicious file extension 12->109 111 Writes to foreign memory regions 12->111 20 tzicvyoM.pif 3 4 12->20         started        24 cmd.exe 1 12->24         started        26 backgroundTaskHost.exe 12->26         started        113 Allocates memory in foreign processes 16->113 115 Sample uses process hollowing technique 16->115 28 tzicvyoM.pif 16->28         started        117 Multi AV Scanner detection for dropped file 18->117 119 Machine Learning detection for dropped file 18->119 30 WerFault.exe 18->30         started        signatures6 process7 dnsIp8 75 freshwarsmi.ddns.net 45.151.122.57, 49740, 5200 STUMPNERNETDE Germany 20->75 87 Detected unpacking (changes PE section rights) 20->87 89 Detected unpacking (overwrites its own PE header) 20->89 91 Found evasive API chain (may stop execution after checking mutex) 20->91 103 8 other signatures 20->103 93 Uses ping.exe to sleep 24->93 95 Drops executables to the windows directory (C:\Windows) and starts them 24->95 97 Uses ping.exe to check the status of other devices and networks 24->97 32 easinvoker.exe 24->32         started        34 PING.EXE 1 24->34         started        37 xcopy.exe 2 24->37         started        40 8 other processes 24->40 99 DLL side loading technique detected 26->99 101 Contains functionality to hide user accounts 28->101 signatures9 process10 dnsIp11 42 cmd.exe 1 32->42         started        73 127.0.0.1 unknown unknown 34->73 55 C:\Windows \System32\easinvoker.exe, PE32+ 37->55 dropped 57 C:\Windows \System32\netutils.dll, PE32+ 40->57 dropped file12 process13 signatures14 105 Adds a directory exclusion to Windows Defender 42->105 45 cmd.exe 1 42->45         started        48 conhost.exe 42->48         started        process15 signatures16 121 Adds a directory exclusion to Windows Defender 45->121 50 powershell.exe 23 45->50         started        process17 signatures18 77 DLL side loading technique detected 50->77 53 conhost.exe 50->53         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 04:34:06 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulgpwpl2q2v6ec7vt6pfbfmodrv3cmh3qabu4m2vluausmzelmca._file
Verdict:
malicious
Similar samples:
00174652cb6423c2ab0160ebbaa0b5918daa97c297ca39526232cb06e60c7ad9
DBatLoader
218b06f1a24c05c5fa1480a3c0153957800fb882d977acd28eb4d853c976fb7a
DBatLoader
240faad2172324c119d325a9396e55f0e635bac9ddf9442340439fc49fdd8bab
DBatLoader
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
DBatLoader
8f82951ca10a326a39d6f1a4e91515dbac43b7c0f8c29b920de3522e6a870892
DBatLoader
95c4b78aa2574cc094f0ab1ca7fac7b2adef8123aab82680c1a88df43f5a282e
DBatLoader
b15a8668037928b4cc574506dc96518162693d531de044e7adf67461a123b1e5
DBatLoader
cd26009a2cfa0a5f8b8e44786b045b4a0d8faf78ae5ae044a64226f3ced2bda7
DBatLoader
f75bcc250ddc6772d6aea9331879d102ee83b9e6b707e252d4771b02c5df9001
DBatLoader
+ 239 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/231025-e64afsea86/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
freshwarsmi.ddns.net:5200
Unpacked files
SH256 hash:
6e1ccc671cbc804eaa1e696cf38d423e000cd25085630011a06f27255c2c8c22
MD5 hash:
da11ecc6ba16ac446e0cebf3cdee67f3
SHA1 hash:
5af422586e0c690cfc57fc9966d80ea71ced9efe
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/f8dd9904-7f69-4fab-8bc5-da8b8d8cb6b4/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/f8dd9904-7f69-4fab-8bc5-da8b8d8cb6b4/
SH256 hash:
a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04
MD5 hash:
23c181a44ca7f5e9c0f422dbd2bfbec8
SHA1 hash:
da77a228761dba8a35d68e4d8f28c7953817969e
Link:
https://www.unpac.me/results/f8dd9904-7f69-4fab-8bc5-da8b8d8cb6b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2ccfb3d7a86/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/456149/

Comments